Free Healthcare IT Newsletter Want to receive the latest news on EMR, Meaningful Use,
ARRA and Healthcare IT sent straight to your email? Get all the latest Health IT updates from Neil Versel for FREE!

Email Address:

We never sell or give out your contact information.
We respect our readers' privacy.

Did you see the news yesterday about the ransomware attack against Emory Healthcare in Atlanta?

According to Health Data Management, a hacker breached the appointment scheduling system at the Emory Clinic’s Orthopedics and Spine Center and the Brain Health Center, and demanded an unspecified ransom. The breach affected 79,930 patients.

Emory Healthcare said it learned of the hack on Jan. 3, and the organization submitted a breach report to the HHS Office for Civil Rights on Feb. 21.

But that’s all the organization said, and for good reason. It’s the same reason why MedStar Health in the Washington-Baltimore areas has not spoken to the press about its ransomware attack last March and April.

At a preconference symposium before last week’s HIMSS conference in Orlando, Florida, a security expert told attendees that the FBI instructs health systems not to talk publicly about such attacks, or disclose whether they have paid ransom. Hollywood Presbyterian Medical Center in Los Angeles did confirm that it paid about $17,000 ransom a year ago, but as I wrote at the time, the hospital doesn’t seem to have much of a clue about a lot of things, including patient safety and public ratings.

But if you’re wondering why you haven’t heard much follow-up from hacked hospitals, it’s likely because of the FBI, which doesn’t much like to compromise criminal investigations.

Later today, I stopped to pick up my mail in this multi-unit building and saw this sticking out of someone else’s mailbox.

A HIPAA violation waiting to happen

That’s right, it’s a “personal and confidential” letter from Quest Diagnostics, presumably either medical test results or a bill. Either way, it’s a HIPAA violation waiting to happen. In fact, it’s probably already a HIPAA violation because people now know what lab this person used. The envelope is hanging out of this mailbox because it was misdelivered and whoever got it by accident placed it there for the intended recipient. But who’s to say it does wind up in the right hands before someone opens it?

Anyone who thinks paper is still a safeguard against privacy and security breaches, raise your hand. (Crickets.) Sure, electronic transmissions can be intercepted and databases hacked, but if you take the time to encrypt them, you lessen the risk. And should there be a breach, the audit trail that HIPAA requires can help investigators pinpoint the culprit and create a disincentive for employees to leak data.

As for the fax, it’s sadly ironic that a twentysomething is encountering a fax machine for the first time when she enters a healthcare environment. Kill your fax machine! It’s 2014. Why are we still using 1980s technology to transfer health information?

Two weeks ago, I picked apart a terribly misleading, ideologically steeped Fox News story that wrongly linked the initial failure of the healthcare.gov Affordable Care Act insurance exchange to the Meaningful Use EHR incentive program. Among my many criticisms was the reporter’s apparent confusion between an actual EHR and My Medical Records, the untethered PHR offered by MMRGlobal.

In that post, I said, “I haven’t seen a whole lot of evidence that MMRGlobal isn’t much more than a patent troll.”

Bob Lorsch, CEO of that company, posted in the comments that I should put my money where my mouth is and interview him. (I had interviewed Lorsch before, but never wrote a story because of my longstanding policy of not paying attention to untethered PHRs since none that I know of has gained any market traction, despite years of hype.)

As this podcast demonstrates, I took Lorsch up on his offer. It was at times contentious, in part because I challenged many of his statements in the Fox story and to me, and in part because he challenged some of mine.

He asked me a pointed question, whether I still thought he was a patent troll. Based on the fact that MMR actually earned patents on a product it actively markets and didn’t just purchase someone else’s patents for the point of suing others, it’s hard to conclude that he is a patent troll.

A derogatory term used to describe people or companies that misuse patents as a business strategy. A patent troll obtains the patents being sold at auctions by bankrupt companies attempting to liquidate their assets, or by doing just enough research to prove they had the idea first. They can then launch lawsuits against infringing companies, or simply hold the patent without planning to practise the idea in an attempt to keep other companies productivity at a standstill.

By that definition, MMR is not. I still don’t think an untethered PHR is a good business model, a belief supported by the fact that publicly traded MMR is a penny stock, currently trading at less than 3 cents per share. I have said that patient engagement, called for on a small scale by Meaningful Use Stage 2 rules, could change the landscape for PHRs—with a better chance in pediatrics than for adult populations—but it certainly will take a few years.

I stand by my original statement that the Fox News story did health IT a huge disservice by latching onto one problem and trying to tie it to an unrelated issue simply because it fits an ideological narrative. As for MMR, well, take a listen and then judge for yourself. It’s a long podcast, but I went through the trouble of breaking it down by discussion point so you can skip around as necessary.

My last post, based on comments from Frost & Sullivan health IT analyst Nancy Fabozzi at last week’s Healthcare Unbound conference, has generated a bit of controversy. Fabozzi said that “Blue Button Plus is totally disruptive,” possibly eliminating the need for some providers to get full-fledged patient portals in order to meet Meaningful Use Stage 2 standards.

In the comments under that post, David Smith of HealthInsight.org, a health improvement consortium in three Western states, correctly pointed out that MU2 requires not just that providers give 50 percent of patients electronic access to their records, but also that 5 percent of patients actually view, download and/or transmit information back to their doctors or hospitals. I also got an e-mail from a GE Healthcare executive reminding me that of the view/download requirement as well as the fact that EHR technology had to be certified by an ONC-approved certification and testing body.

The viewing and downloading certainly can be accomplished with Blue Button Plus apps or widgets. In fact, ONC’s Lygeia Ricciardi has said Blue Button Plus could be part of the Stage 3 rules.

Transmitting would seem to necessitate a portal since HIPAA demands — and patients should expect — security when sending protected health information over the Internet. Standard e-mail doesn’t cut it, but e-mail following Direct Project protocols does. MU2 already sanctions Direct Project for health information exchange between healthcare entities. There is no reason why it can’t work for individuals as well, as Dr. Deborah Peel’s Patient Privacy Rights Foundation is trying to facilitate.

This might be a bit unwieldy, asking each patient to set up a Direct e-mail address, but remember, providers only need 5 percent to do so in Stage 2. I see it as perfectly feasible that some small physician practices could bypass the portal and just make do with freely available resources like Blue Button Plus — though Blue Button Plus app developers likely will charge fees — and open-source Direct standards.

Blue Button Plus is a blueprint for the structured and secure transmission of personal health data. It meets and builds on the view, download, and transmit requirements in Meaningful Use Stage 2 for certified EHR technology in the following ways —

Structure: The recommended standard for clinical health data is the HL7 Consolidated Clinical Document Architecture or Consolidated CDA. The C-CDA is a XML-based standard that specifies the encoding, structure, and semantics of a clinical document. Blue Button Plus adopts the requirements for sections and fields from Meaningful Use Stage 2.

Let me repeat: You can now sign in via Facebook to a HealthVault personal health record.

Though I’m not a lawyer, I’m wondering if Microsoft might not be treading in some dangerous territory. What if it’s possible to link HealthVault updates to Facebook so your entire social network knows that you just got a lab test result back? What if the Facebook location tagger indicates that you’ve just visited an STD clinic? Yeah, sometimes discretion is in order, and Facebook generally isn’t the place to be discreet.

According to Healthcare IT News’ MobileHealthWatch blog, Microsoft’s Sean Nolan was practically giddy about this arrangement helping HealthVault go mobile. I think mobility will help make PHRs a bit more attractive to patients, but I still think PHRs are DOA if they don’t link to EHRs.

I just don’t see a lot of medical practices being willing to send electronic data back and forth to HealthVault accounts if Facebook is handling the security, making MobileHealthWatch’s claim that, in wake of the supposed demise or at least de-emphasis of Google Health, HealthVault is now “more or less unchallenged as the PHR of record” a joke. There’s no such thing as a PHR of record, and there won’t be as long as authentication passes through Facebook.

I moderated two IHT2 conference sessions yesterday, on how health IT underpins Accountable Care Organizations and how business intelligence can create a framework for health information exchange. I haven’t had time to blog about those, but several people seem to have tweeted during those sessions. I therefore present a rundown via Twitter.

The sun is shining here in Chicago and the mercury is supposed to hit 60 degrees today for the first time in months. That could mean only one thing: Spring is in the air, and hope springs eternal, even for the star-crossed Cubs. Though it’s still spring training, noted Yankees fan Glenn Laffel of the Pizaazz blog is in midseason form as he hosts this week’s Health Wonk Review, with an all-star lineup of contributors.

My impassioned defense of Don Berwick makes the big-league roster among the sluggers (health policy), while health IT gets its due respect as a disruptive force by being categorized as the base-stealers.

Of note, longtime HIT blogger Shahid Shah, known as the Healthcare IT Guy, talks security. “I hear a lot of naive talk about how systems are secure because ‘we use SSL encryption’ or ‘we’re secure because we have a firewall.’ Anybody who’s been security and privacy work for more than a few months would know how false those statements are,” he writes. To continue the baseball analogy, it’s like a pitcher making a couple of light tosses over to first to keep the base runner honest, then leaving the next pitch out over the middle of the plate.

And now back to an afternoon of watching basketball, er, I mean, answering e-mail or something. o:-)

Free Healthcare IT Newsletter Want to receive the latest news on EMR, Meaningful Use,
ARRA and Healthcare IT sent straight to your email? Get all the latest Health IT updates from Neil Versel for FREE!

Email Address:

We never sell or give out your contact information. We respect our readers' privacy.